Create Intermediate Certificates from a CA

TL;DR

Yes, you can create intermediate certificates from a Certificate Authority (CA)-issued certificate. This is common practice for better security and scalability. You’ll use OpenSSL to generate a private key for the intermediate certificate, then sign its Certificate Signing Request (CSR) with your CA’s private key.

Steps

1. Understand Intermediate Certificates: An intermediate certificate acts as a bridge between your root CA and the end-entity certificates you issue. It allows you to delegate signing authority without exposing your root CA’s private key.
2. Prerequisites: You’ll need:
   • OpenSSL installed on your system.
   • Your CA certificate (ca.crt).
   • Your CA private key (ca.key) – Keep this extremely secure!
3. Generate a Private Key for the Intermediate Certificate: This is the first step in creating your intermediate certificate.

   openssl genrsa -out intermediate.key 2048

   This command creates a 2048-bit RSA private key and saves it to intermediate.key. You can increase the bit length for stronger security (e.g., 4096).

4. Create a Certificate Signing Request (CSR) for the Intermediate Certificate: The CSR contains information about your intermediate certificate.

   openssl req -new -key intermediate.key -out intermediate.csr

   You will be prompted to enter details like Country Name, State/Province, Locality Name, Organization Name, Common Name (this is often a descriptive name for the intermediate CA), and an email address. The Common Name is important; choose something meaningful.

5. Sign the CSR with Your CA’s Private Key: This step creates the actual intermediate certificate by having your root CA sign the request.

   openssl x509 -req -in intermediate.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out intermediate.crt -days 3650

   • ca.crt is your CA certificate.
   • ca.key is your CA private key.
   • -CAcreateserial creates a serial number file if one doesn’t exist.
   • intermediate.crt will be the name of your new intermediate certificate.
   • -days 3650 sets the validity period to 10 years (adjust as needed). Longer validity periods are generally discouraged for security reasons; consider shorter durations.
6. Verify the Intermediate Certificate: Check that it’s correctly signed by your CA.

   openssl verify -CAfile ca.crt intermediate.crt

   This should output “intermediate.crt: OK” if the verification is successful.

7. Configure Your Server/Application: Add the intermediate certificate to your server’s or application’s trust chain. This usually involves concatenating the intermediate certificate with your CA certificate in a single file (ca_bundle.crt).

   cat ca.crt intermediate.crt > ca_bundle.crt

8. Update Clients: Ensure clients trust the intermediate certificate. This may involve updating trust stores or distributing the ca_bundle.crt file.